Designing Backups for Data Privacy and Ransomware

Two external factors are forcing organizations to rethink their backup process and how they store backup data. The first is the ever-increasing threat of ransomware, which encrypts production data forcing the customer to pay for a “key” to decrypt it. The second is data protection and privacy regulations like the European Union’s (EU) General Data Protection Regulation (GDPR). The EU isn’t unique in passing regulations like GDPR. The state of California just passed the California Consumer Privacy Act which is similar to GDPR in many ways. Other states and even the federal government are considering similar legislation.

These two external factors, ransomware and data privacy regulations, directly impact the data protection process. In many ways, they force the organization to “up their game” regarding protection, retention, and recovery. In other ways, they force the organization to organize data protection better, so they can comply with various aspects of data privacy requirements.

Data protection, historically, is a complicated mess. The new threats facing the data center forces much more frequent data protection events. If backup vendors don’t reduce complexity, then IT drowns in the process. The first step in meeting the challenges of threats like ransomware and regulations like GDPR is to simplify the backup process so IT can protect data consistently and reliably. Protection solutions need to change from a job-focused protection mindset to a service level protection mindset. Instead of indicating that the backup job runs at Noon, 2:00 pm and 4:00 pm, IT should only have to indicate the recovery point objective for a dataset or application. The time-based job schedule becomes, “make sure if I need to recover this dataset, I only lose two hours of information.”

Another step in meeting these new threats and challenges is to secure the backup itself. Ransomware, in particular, poses a threat to the data that backup systems store. The malware can accidentally or by design, find the backup system data files and encrypt them. In fact, in an increasing number of cases, ransomware now specifically targets backup data first.

Most vendors point to the importance of an “air-gapped” copy of data as protection. The problem is that newer malware strains are not executing their encryption process the moment they infiltrate the organization’s servers. Instead, the malware sits idle for a time, allowing it to get backed up repeatedly. As a result of the time delay, the backup process copies the malware file to multiple backup versions no matter where it stores the backup; disk, tape, or cloud.

The answer to this problem is to set the backup data to read-only, so it is immutable. Further, the solution needs to make sure that an external client can’t access the data, and that data can only be removed from within the backup system or through a normal backup aging process. In addition to a read-only status, the backup solution needs to provide granular visibility into the backups, so IT can detect and remove the malware file before recovering data.

The immutability and granular recovery will also enable the organization to meet the most challenging part of data privacy regulations; “the right to be forgotten.” Most data privacy regulations stipulate that a user can request organizations to remove all of the user’s data from the organization’s storage. While case law is still needed to determine the full scope of complying with the request, one can assume that data in backups requires proper management so that restoring data does not also restore a “forgotten” users’ data. The right to be forgotten component of data privacy laws means being able to remove specific components of data from within a backup or using an isolated recovery method to remove the user’s data before moving the rest of the data back into production.


Ransomware and Data Privacy are just two examples of potential new threats and regulations that are on the horizon that IT needs to tackle. It is difficult to predict what new concerns will present themselves in the next year let alone the next five years. Ensuring the data protection architecture meets whatever challenge appears, requires the solution be easy to use, easy to adapt and provide insight into the data it is protecting.

Sponsored by Rubrik

Sign up for our Newsletter. Get updates on our latest articles and webinars, plus EXCLUSIVE subscriber only content.

George Crump is the Chief Marketing Officer at VergeIO, the leader in Ultraconverged Infrastructure. Prior to VergeIO he was Chief Product Strategist at StorONE. Before assuming roles with innovative technology vendors, George spent almost 14 years as the founder and lead analyst at Storage Switzerland. In his spare time, he continues to write blogs on Storage Switzerland to educate IT professionals on all aspects of data center storage. He is the primary contributor to Storage Switzerland and is a heavily sought-after public speaker. With over 30 years of experience designing storage solutions for data centers across the US, he has seen the birth of such technologies as RAID, NAS, SAN, Virtualization, Cloud, and Enterprise Flash. Before founding Storage Switzerland, he was CTO at one of the nation's largest storage integrators, where he was in charge of technology testing, integration, and product selection.

Tagged with: , , , , , , , , , , ,
Posted in Blog

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 25,514 other subscribers
Blog Stats
%d bloggers like this: